Interactive Theorem Proving in Higher-Order Logics

Transcription

1 Interactive Theorem Proving in Higher-Order Logics Partly based on material by Mike Gordon, Tobias Nipkow, and Andrew Pitts Jasmin Blanchette

2 Automatic Interactive

3 What are proof assistants? Proof assistants (or interactive theorem provers) are programs with a graphical user interface designed for proving logical formulas. The logical formulas may represent mathematical theorems but also the correctness of hardware or software. Proof assistants help catch almost all flaws in pen-andpaper proofs, but they are tedious to use.

4 What are they based on? Different proof assistants are based on different logics. Some logics are more expressive (flexible) than others; others are easier to automate. less expressive easier to automate First-Order Logic Higher-Order Logic more expressive harder to automate Set Theory Type Theory

5 Why should we trust them? Some proof assistants are designed around a small inference kernel, with simple logical primitives. Some generate detailed proof objects, which can be rechecked independently by small programs. And some just have to be trusted.

6 What are the main systems? Small kernel Proof objects First-Order Logic ACL2 x x Higher-Order Logic HOL4 HOL Light Isabelle/HOL PVS x x x ( x ) x ( x ) x ( x ) Set Theory Isabelle/ZF Mizar x ( x ) x x Type Theory Agda Coq Lean Matita x x ( x ) x x x x x

7 Are proof assistants toys? Mathematics Hardware Software Programming languages Four-color theorem Feit-Thompson theorem Kepler conjecture AMD Intel Compiler Operating system Program semantics courses POPL conference Coq Coq HOL Light & Isabelle/HOL ACL2 HOL Light Coq Isabelle/HOL Coq & Isabelle/HOL Coq & Agda

8 Are proof assistants toys? Automated reasoning Completeness of FOL SAT proof checkers SAT solver with 2WL Resolution Superposition Coq, Isabelle/HOL, Mizar,... ACL2, Coq, Isabelle/HOL Isabelle/HOL Isabelle/HOL Isabelle/HOL

9 What do proofs look like? Tactical proofs apply tactics to the proof goal to produce a new proof goal, proceeding in a backward fashion. Declarative proofs state intermediate properties, proceeding in a forward fashion.

10 What do proofs look like? Let us prove A and B implies B and A using tactics. Goal:ss A and B implies B and A Tactic:s rule and-left Goal: ss A, B implies B and A Tactic:s rule and-right Goals:s A, B implies B and A, B implies A Tactics: rule implies-trivial rule implies-trivial No goals left

11 What do proofs look like? Let us prove A and B implies B and A declaratively. proof assume A and B from A and B have A by (rule and-get-left) from A and B have B by (rule and-get-right) from B, A show B and A by (rule and-right) qed

12 Can proofs be automated? Most proof assistants offer a variety of general and specialized automatic tactics. The Simplifier rewrites by applying equations left-to-right; e.g. the equation x + 0 = x can be used to simplify the goal < 3 to 2 < 3. The Arithmetic Procedure can prove formulas involving linear arithmetic, e.g. 2 < 3, k > n or k = 0 or [k n and k 0]. The General Reasoner performs a systematic, bounded proof search, applying rules like and-left and and-right.

13 Can proofs be automated? In addition, automatic theorem provers can be invoked via tools such as Sledgehammer for Isabelle/HOL and HOLyHammer for HOL Light and HOL4. These provers perform a systematic search in first-order logic and are designed to be very efficient. There are also integrations of computer algebra systems.

14 Does there exist a function f from reals to reals such that for all x and y, f(x + y 2 ) f(x) y? let lemma = prove (`!f:real->real. ~(!x y. f(x + y * y) - f(x) >= y)`, REWRITE_TAC[real_ge] THEN REPEAT STRIP_TAC THEN SUBGOAL_THEN `!n x y. &n * y <= f(x + &n * y * y) - f(x)` MP_TAC THENL [MATCH_MP_TAC num_induction THEN SIMP_TAC[REAL_MUL_LZERO; REAL_ADD_RID] THEN REWRITE_TAC[REAL_SUB_REFL; REAL_LE_REFL; GSYM REAL_OF_NUM_SUC] THEN GEN_TAC THEN REPEAT(MATCH_MP_TAC MONO_FORALL THEN GEN_TAC) THEN FIRST_X_ASSUM(MP_TAC o SPECL [`x + &n * y * y`; `y:real`]) THEN SIMP_TAC[REAL_ADD_ASSOC; REAL_ADD_RDISTRIB; REAL_MUL_LID] THEN REAL_ARITH_TAC; X_CHOOSE_TAC `m:num` (SPEC `f(&1) - f(&0):real` REAL_ARCH_SIMPLE) THEN DISCH_THEN(MP_TAC o SPECL [`SUC m EXP 2`; `&0`; `inv(&(suc m))`]) THEN REWRITE_TAC[REAL_ADD_LID; GSYM REAL_OF_NUM_SUC; GSYM REAL_OF_NUM_POW] THEN REWRITE_TAC[REAL_FIELD `(&m + &1) pow 2 * inv(&m + &1) = &m + &1`; REAL_FIELD `(&m + &1) pow 2 * inv(&m + &1) * inv(&m + &1) = &1`] THEN ASM_REAL_ARITH_TAC]);; John Harrison

15 Does there exist a function f from reals to reals such that for all x and y, f(x + y 2 ) f(x) y? [1] f(x + y 2 ) f(x) y for any x and y (given) [2] f(x + n y 2 ) f(x) n y for any x, y, and natural number n (by an easy induction using [1] for the step case) [3] f(1) f(0) m + 1 for any natural number m (set n = (m + 1) 2, x = 0, y = 1/(m + 1) in [2]) [4] Contradiction of [3] and the Archimedean property of the reals John Harrison

16 intermediate properties manual generated automatically

17

18

19

20

21

22 Proof assistants Automatic provers = Isabelle Isabelle vs. Vampire well suited for large formalizations but require intensive manual labor Sledgehammer fully automatic but no proof management

23 superposition select lemmas + translate to FOL = Isabelle HOL reconstruct proof SMT

24 superposition SMT refutational resolution rule term ordering equality reasoning redundancy criterion E, SPASS, Vampire, refutational SAT solver + congruence closure + quantifier instantiation + other theories (e.g. LIA, LRA) CVC4, verit, Yices, Z3,

25 How many hammers are there? pre-sledgehammer Otter in ACL2 Bliksem in Coq Gandalf in HOL98 DISCOUNT, SPASS, etc., in ILF Otter, SPASS, etc., in KIV LEO, SPASS, etc., in ΩMEGA E, Vampire, etc., in Naproche... post-sledgehammer HOLyHammer for HOLs MizAR for Mizar SMTCoq/CVC4Coq for Coq SMT integration in TLAPS...

26 Developing proofs without Sledgehammer is like walking as opposed to running. Tobias Nipkow Larry Paulson I have recently been working on a new development. Sledgehammer has found some simply incredible proofs. I would estimate the improvement in productivity as a factor of at least three, maybe five. Sledgehammers have led to visible success. Fully automated procedures can prove 47% of the HOL Light/Flyspeck libraries, with comparable rates in Isabelle. These automation rates represent an enormous saving in human labor. Thomas Hales

27 productivity teaching revolution: Isar + auto + induct + Sledgehammer lemma search higher-order (induction) other logical mismatches too much search, not enough computation/intuition end-game/transparency what about nontheorems?

28 What if the formula is wrong? Counterexample generators automatically test the goal with different values. They are useful to detect errors early, whether they are in the formula to prove or in the concepts on which it builds. lemma i j and n m implies in + jm im + jn nitpick Counterexample: i = n = 0 and j = m = 1

29

30 Under the hood HOL FORL SAT Isabelle Nitpick.Kodkod...SAT solver

31 = Isabelle HOL

32 What is HOL? HOL = higher-order logic = Church s simple theory of types + polymorphism = logic of Gordon s HOL88 and successors = logic of HOL Light, HOL Zero, ProofPower HOL = logic of PVS (+ dependent types) = logic of Isabelle/HOL (+ type classes)

33 Syntax of types ::= ( ) bool nat int... base types 0 a 0 b... type variables ) functions pairs (ASCII: *) list lists set sets... user-defined types Convention: 1 ) 2 ) 3 1 ) ( 2 ) 3 ) 33

34 Syntax of terms t ::= (t) a constant or variable (identifier) tt function application x. t function abstraction... lots of syntactic sugar Convention: ft 1 t 2 t 3 ((f t 1 ) t 2 ) t 3 34

35 Isabelle s metalogic V V The HOL types and terms are part of the metalogic. Alpha-, beta-, eta-equivalence is built-in: V (lx. t[x]) (ly. t[y]) a (lx. t[x]) u t[u] b t s t (lx s. tx) h 35

36 Notations Implication and function arrows associate to the right: a b c means a (b c) The rule format is sometimes used instead of, e.g.: a c b 36

37 Typing rules Terms must be well typed (the argument of every function call must be of the right type). ` x s : s ` c s : s ` t : t ` t : s! t ` u : s ` lx s. t : s! t ` tu: t 37

38 Type inference Isabelle computes types of variables (and polymorphic constants) automatically. In the presence of overloaded functions, this is not always possible. Users can provide type annotations inside the terms: e.g. f (x :: nat) 38

39 Currying "Thou shalt curry thy functions." Curried: f :: 1 ) 2 ) Tupled: f 0 :: 1 2 ) Currying allows partial applications: e.g. (op +) 1 39

40 Metalogical propositions Propositions have type prop (intuitionistic). Built-in operators: =) prop prop prop implication V (a prop) prop universal quantification a a prop equality V 40

41 The HOL object logic Propositions have type bool (classical). The familiar operators are defined on bool (False, True, =,,,,,,, ). is syntactic sugar for =. Trueprop is a special implicit constant that converts a bool to a prop. e.g. a b c is really Trueprop (a b) Trueprop c 41

42 Predefined syntactic sugar Infix: +,,, Mixfix: if then else, case of,... Prefix binds more strongly than infix: Prefix binds more strongly than infix: fx+ y (f x)+y 6 f (x + y) Enclose if and case in parentheses: (if then else ) 42

43 Theory = Isabelle file theory MyTh imports T 1...T n begin (definitions, theorems, proofs,...) end Types and terms must be enclosed in quotes ("), except for single identifiers. 43

44 Extensions Definitional New types are carved out of an old type. New constants are defined in terms of old ones. Axiomatic Locales New types are declared and characterized by axioms. New constants are introduced by axioms. Parameterized by types, terms, and assumptions. Assumptions discharged upon instantiation. 44

45 Definitional Type Constructors typedef a dlists = {xs : a list distinct xs} (co)datatype, quotient_type are built on typedef (Term) Constants definition id :: a => a where id x = x (co)inductive, fun, prim(co)rec, corec, lift_definition are built on definition

46 Axiomatic Type Constructors typedecl a dlist (Term) Constants axiomatization Abs_dlist :: a list => a dlist and Rep_dlist :: a dlist => a list where Abs_Rep: distinct xs ==> Rep (Abs xs) = xs

47 Locales They combine type parameters term parameters assumptions. locale semigroup = fixes f :: a => a => a (infixl "*" 70) assumes assoc: a * b * c = a * (b * c) begin end They are not part of Isabelle s kernel.

48 Proof styles Tactical (apply-style) Tactics directly modify the proof state. Backward: reduction of goal to True. Declarative (Isar-style) Textual, linearized natural deduction. Forward: intermediate steps towards final goal. 48

49 Apply-style proofs apply method apply (method arg1 argn) by method done Main methods: simp auto blast metis arith rule Also: try0 and try tools 49

50 Isar-style proofs proof method [or -] fix x 1 x n assume A 1 A n have P 1 by (method ) have P k by (method ) show Q by (method ) qed Instead of by: nested proof block. Instead of have: obtain y 1 y m where P. 50

51 Extensional equality is axiomatized, the other logical constants are definable. True := ((λx. x) = (λx. x)) All := (λp. P = (λx. True)) x. P x : All (λx. P x)

52 Demo

53 In conclusion Proof assistants are wonderful and dreadful. In some areas (esp. of computer science), they are more wonderful than dreadful. (And they are very addictive.) They can serve as the glue between automatic theorem provers, computer algebra systems, and the human. Exhortation: Try them out, and see for yourself if they make sense for your research.